For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!

Tuesday, March 22, 2016

A Case Study in Stock Price Movement and Cyber Risk?

We've been doing a bit of R&D. Last week I announced a new tool (Cyberwatch(R))that we've fielded in it's minimally viable form, looking to get feedback. The thinking was, we wanted to see if there were correlations between the number of times we saw a company show up in our intelligence sources and their stock price.

The example we'd toyed with was a bit ambitious but it made for a great test case.

Here's what we did. We have approximately four years of back data. Every day we counted the number of times we saw "amazon.com" or any subdomain or IP addresses in our daily queries. We figured if we kept the model simple, anyone could understand it... I don't like complex algorithms --the only people who understand them are the people who write them. I wanted math that anyone could look at quickly and know what it meant.

Wapack Labs watched the intelligence space (dark web, chatter, etc.) during this time, and counted the number of times we saw anything associated with Amazon --and we plotted it on a moving timeline against the stock price in a chart resembling a stock chart. The result? We showed movement in both the cyber threat activity, and movement of the stock price (we recognize that there are many variables that make a company's stock price move, and Amazon's stock takes a lot to market influencers to make it move). There was a spike on August 4th, followed a short period when we lost eyes, and then an increase in underground 'chatter' shortly after as we watched circular reporting by other reporting outlets. The public reaction to the bad press was evidenced by the downward movement in the stock price. The underground activity? Was this targeting of Amazon because of the bad news? Not sure, but our chart clearly shows something.

So the question is, can increased cyber activity in the underground affect a company's stock price? Probably not directly, but what if the chatter that we monitor turns to action? Absolutely. Cyber isn't the only indicator that can be used to help predict stock movement, but certainly it's one that should be considered. And our experiment in identifying a new means of monitoring cyber intelligence as a leading indicator to potential damage to a company in the form of stock price movement, is proving very cool. Amazon's stock is affected by millions of variables, not just cyber, but what about the company who's price isn't as resilient to changes in a singular variable --like cyber activities focused on them?

On November 9th we saw a massive spike in activity as we slide our viewing window to the right. Why? We believe this was a lead-up to Black Friday, when folks were planning, talking about, exchanging tools and credentials that could potentially exploit retailers during the holiday season. Are we sure? No. Intelligence never is, but clearly, there's a massive spike and then a drop-off to nearly zero on the actual day --why? Bad guys need time off too, and they've already planted their tools. Now they simply sit back and collect the loot.

Activity remained fairly consistent throughout until after the holiday, then spiked again during return season, including a massive dump of credentials (AKA Pony Dump) that affected just about every large company --not targeted, but massive. We had to change the scale to show the massive number of times that we saw Amazon in our intelligence sources... from hundreds to thousands. The good news for Amazon? It wasn't just them. It affected everyone out there. A quick comparison of the average Cyber Threat Index(R) for the companies in the Dow Jones and S&P 500 (both shown on our website -cyberwatch.wapacklabs.com) show that the average large enterprise company was mentioned over 5000 times. Amazon actually faired better than most.

Figure 3: Amazon's Cyber Threat Index on the day of the "Pony" dump of credentials

We launched Cyberwatch(R) this week in bare bones format. There's a place to submit feature requests and bugs, but the idea is, subscribers will be able to monitor portfolios of companies in addition to their own. I'd encourage you to log in with your company domain and a stock ticker if you have one. Viewing the graphics and looking at industry or geographic trends won't cost you anything, but pulling the actual intelligence behind the graphics will.

Our thinking in this is simple... Boards, CEOs and CFOs want to know how all that money they're spending on security affects the profitable operation of the business, the stock price, and value to the shareholders. CIOs, CISOs, and techies want to know how to fix the problems that their CEO's are aware of (hopefully before he or she asks). Because we monitor non-public sources, the graphics are often times leading indicators of potential threats. Is it actionable? You bet. If you see five threats (shown in Figure 2) on that particular morning when you're monitoring the Cyber Threat Index(R) for that day, according to our sources, you have five things to monitor for or block before you finish your first coffee in the morning.

Your money guys know you've seen the problems and fixed them. They also know they can monitor their threat activity levels for spikes and have awareness of how it might affect the company. And investors and portfolio managers now have (admittedly early maturity) a tool that can be used to measure risk before they invest.

While not a perfect science, predicting the stock market never is, we clearly show intelligence (primary sourced --not circular reporting or social media) activity increasing shortly after the the NY Times called out Amazon as a harsh place to work. Is it related? Not sure. But certainly there's a corresponding movement in Amazon's stock price during the timeframe. And one sample isn't nearly enough to be able to show a 1-to-1 correlation, but for any investor considering the purchase of a large block of stock, or an M&A, monitoring a portfolio deal, or supply chain, I'd think that the idea that price of that new investment can be influenced by movement in what we're calling (and trademarked and now patent pending) Cyber Threat Index(R), is actually pretty cool. If this works --and I suspect it will, there's now a cyber means of identifying trends that *could* move stock prices, and for any executive or board wanting to understand the value of the security required (and funded), they can monitor that activity by simply watching the trend line.

This is a bit unusual, but it's one of the reasons we did't take external investments. We want to be able to experiment and find new ways to transcend things like the language barrier, and how CISOs show the value of their spend and efforts, and how companies translate security posture wording into something their investors understand. Is it perfect? Not by a long shot. Is it promising? You bet.